Christian Kreibich
ICSI » ICIR » Christian Kreibich » Click Trajectories
Click Trajectories
End-to-End Analysis of the Spam Value Chain


Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack, however, a solid understanding of this enterprise's full structure, and thus most anti-spam interventions focus on only one facet of the overall spam value chain (e.g., spam filtering, URL blacklisting, site takedown).

In this project, our colleagues at UCSD and our team at ICSI conduct a holistic analysis that quantifies the full set of resources employed to monetize spam email — including naming, hosting, payment and fulfillment — using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. (Click for larger version. If you would like to use the diagram elsewhere, I would appreciate a quick note — thanks.)

value chain of a spam-advertised pharmaceuticals purchase

We provide the first strong evidence of payment bottlenecks in the spam value chain: 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks. For details, take a look at the paper.

For a more in-depth analysis of spam conversion in one particular botnet, take a look at our earlier Spamalytics project.



  • Advertising material from Azerigazbank (AG Bank), the Azerbaijani bank that handled payment of over 60% of our purchases.

Related Publications

updated on 26 July 19 | yummy spam, yesss... built with TT | (cc) Christian Kreibich